GDPR and Self-Sovereign Identity: What Lies Ahead

GDPR and self-sovereign identity share a lot in common. GDPR regulates “the right to be forgotten” and self-sovereign identity enables it for the decentralized web. So, when and how will these two privacy functions intersect?

Self-sovereign and decentralized identity (DID) solutions like Sovrin or Ethereum’s uPort represent innovative opportunities for data ownership that use blockchains to flip the current model of centralized identity management on its head.

Identity management is an important component of online applications. Typically, when users sign up for an online service, a custom identity is created for that application. As a result, we sign up for new services and create new username and password combinations all the time. The problem is that there is no single source of truth for identity, so onboarding new users requires generating new user profiles for every unique application.

Centralized vs. Decentralized Identity

Some centralized services like Google and Facebook create single sign-on and federated ID management systems to share particular ID attributes across 3rd party connections and websites in order to create a single identity for their platform. However, without knowing it, users typically sign away their rights to create single sign-on IDs, which 3rd parties use to their advantage.

Instead of giving away the rights to all of your personal data for free in exchange for service, DID empowers users across various blockchain systems to choose which data (e.g. name, phone number, address, etc.) are available for decentralized applications (dApps) to use, for how long, and under what conditions that data is accessible.

One of the exciting advantages of DID is the ability to granularly select what data is shareable (e.g. just your name; not your phone number) and set limits on its use, including the ability to revoke access from the decentralized application at any time. This advancement puts users back in control and can be useful for overcoming complicated governance and compliance issues like GDPR in the future.

Self-Sovereign Identity Is the Holy Grail

The holy grail of DID is self-sovereign ID, which enables complete data ownership using public blockchains and (sometimes) homomorphic encryption techniques to securely protect users’ privacy.

Today, companies like Facebook and Google own all of your data by default and let users download some – but not all – personal data upon request. Self-sovereign ID stands in stark contrast to centralized competitors like Facebook. Instead of signing away your rights, self-sovereign ID solutions like Sovrin enable users to own their own data by default and set permissions to let applications request personal data for particular uses.

At the moment, there are several core hurdles that still need to be overcome in order for DID solutions to compete with centralized incumbents. For example, central functions like password reset need to be implemented and fine-tuned. Unlike centralized systems where there is an administrative capacity to override user errors and mistakes, there is currently no way to reset private cryptographic keys that have been lost, stolen, or corrupted in DID systems.

So, for now, centralized, single-sign on, and federated ID management solutions still have the upper hand on managing digital identity. While I’m excited by the promise of a DID shakeup, I believe that finding a middle ground will be achieved sooner than a complete reversal of the current power dynamics.

The Ebb and Flow of Standardization

The W3C Standards being developed for decentralized identifiers show promise in a solution that can help smoothly transition from centralized and federated IDs to a decentralized alternative that lets both blockchain startups and big tech incumbents create interoperable identity management solutions.

In general, open standards enable an even playing field and open up general-purpose technologies (GPTs) to be used and improved on by the masses. For example, the open source standardization of HTTP & TCP/IP protocols opened up the World Wide Web for mass use and ushered in a Cambrian explosion of online application development in the 90’s.

Taking an approach to DID that enables fair, open and usable standards could help users who are constrained by the centralized incumbents’ stranglehold on identity management achieve more privacy and independence online.

Since some form of identity is used in practically all online applications, the advancement of decentralized identity will likely affect many of the industries and verticals that we participate in today (from social media to banking, travel & hospitality, and government services).

Public, Private, and Governmental DID

An important distinction should be drawn between private, public and governmental DID usage. Today governments issue and maintain important identity credentials like birth certificates, social security cards, drivers’ licenses, and passports. But, in the future, there may be a different dynamic at play. One in which DID blends private, public, and legal domains to authenticate different attributes of a person’s identity according to the application in use. I believe this multi-party route for DID will come together in the next few years.

Altogether, the opportunities for this general-purpose technology are vast. When weighing the costs vs. benefits of R&D, implementation, ease of use, and interoperability, the question of real-world utility for DID boils down to practicality.

Early Adopters Open the Door to More Real-World Use Cases

Some early applications of DID are digital media rights management, licensing and proof of ownership using public blockchains (e.g. Civil and Po.et). Right now, the nature of implementing DID with public, immutable blockchains makes it difficult to edit private attributes across varying media types or revise timestamped records like blockchain attestations to copyright and digital rights licensing. What’s more, the ability to reconcile real-world legal claims with digital rights management and licensing remains open-ended.

So, we’re currently stuck at a crossroads between conceivable utility, technological capacity, and legal authority. As blockchain technologies and DID standards continue to develop, I’m confident that more practical applications will enter mainstream use. Overall, I believe we’ll start to see the real-world impact of DID on initiatives like GDPR, copyright and digital rights licensing in the next 5 to 10 years.